Schemes and methods of integrity protection in mobile communication

ABSTRACT

This invention introduces methods and mechanisms of partial integrity protection in mobile systems. A user equipment (UE), comprising: a memory configured to store instructions; and a processor configured to execute the instructions to: receive, from a network device, user plane data having integrity protection; send an error indication indicating an integrity protection error relating to the user plane data; and receive retransmitted user plane data from the network device with a reduced data rate, based on the error indication.

This application is a National Stage Entry of PCT/JP2019/043081 filed onNov. 1, 2019, which claims priority from EP Patent Application18204190.5 filed on Nov. 2, 2018, the contents of all of which areincorporated herein by reference, in their entirety.

TECHNICAL FIELD

The present disclosure relates to a communication system. The disclosurehas particular but not exclusive relevance to wireless communicationsystems and devices thereof operating according to the 3rd GenerationPartnership Project (3GPP) standards or equivalents or derivativesthereof. The disclosure has particular although not exclusive relevanceto integrity protection in the so-called ‘5G’ (or ‘Next Generation’)systems.

BACKGROUND ART

In mobile systems, such as 3GPP defined 2G, 3G, 4G, and 5G systems,confidentiality protection (ciphering) and integrity protection aredefined in the respective specifications. In the case of 5G system, thesystem architecture is specified in Technical Specification (TS) 23.501[5] and TS 23.502 [6], and the security architecture is defined in TS33.501 [7].

Confidentiality protection refers to the mechanism in which the contentis being concealed from the unintended recipient by use of ciphering (orencryption). Integrity protection refers to the mechanism in which theoriginal content is protected by use of techniques to detect changes inthe content when it is received by the intended receiver, thuspreventing man-in-the-middle attack.

In 3GPP systems, usage of confidentiality protection and integrityprotection are separately defined in Access Stratum (AS) and Non-AccessStratum (NAS), resulting in the following 8 types of protection:

TABLE 1 types of protection in 3GPP systems Access Stratum Non-AccessStratum (AS) (NAS) Control Confidentiality ConfidentialityConfidentiality Plane protection protection of CP protection of CP (CP)at AS level at NAS level Integrity Integrity protection Integrityprotection protection of CP at AS level of CP at NAS level UserConfidentiality Confidentiality Confidentiality Plane protectionprotection of UP protection of UP (UP) at AS level at NAS levelIntegrity Integrity protection Integrity protection protection of UP atAS level of UP at NAS level

NOTE: AS refers to the segment in the mobile system where distinct radiotechnology is used between the base station and the User Equipment (UE).The radio technology used depends on the generation. NAS refers to theend-to-end connection between the UE and the Core Network (CN) which isindependent from the AS (i.e., independent from the underlying radiotechnology being used).

As shown in Table 1 above, there are total of 8 different types ofprotection.

In 4G (LTE) and 5G systems, both confidentiality protection andintegrity protection in Control Plane (CP) is mandatory. This ensuresthat signaling to set up a call, execute handover, etc. is protected.However, confidentiality protection and integrity protection in UserPlane (UP) is optional. In real-world deployments, either types ofprotection in UP may not be applied.

Specifically for integrity protection in UP, the reason why it is notmandatory has several reasons: 1) integrity protection is not useful orbeneficial in certain traffic types, and 2) limitation in the hardwarein terms of performance to perform integrity protection.

For the first case, for example, voice communication requires constantstream of voice information in real-time manner with rather stricttime-bound in order to make the voice communication usable. Excessivedelay makes the voice communication often unusable. In this context,re-transmission usually does not help. Also, voice communication canoften tolerate occasional error or packet loss as human voiceinformation is inherently redundant. In this context, use of integrityprotection does not add value.

For the second case, it is known [4] that UE has a performancelimitation in terms of the maximum data rate of Data Radio Bearer (DRB)for which integrity protection of the entire payload is possible in bothUL and DL directions. (NOTE: DRB is a Radio Bearer (RB) that carries theuser data, as opposed to Signaling Radio Bearer (SRB) which carriessignaling data for both AS and NAS level signaling.) In other words, ifthe data rate exceeds a certain threshold, the UE can no longer executethe integrity protection to cover the entire payload at PDCP level. Onthe other hand, if the data rate is below a certain threshold, the UEcan perform integrity protection for the entire PDCP PDU payloads. PDCPprotocol is defined in [8].

The above described condition of UE's performance limitation isessentially bound by the hardware (i.e. chipset) limitation in the UE.

This condition leads to the following situation:

-   -   If the integrity protection for the UP is used and the data rate        is below a certain threshold, full integrity protection is        possible. In this case, full integrity protection is more        beneficial in order to maximize the level of protection.    -   On the other hand, if the integrity protection for the UP is        used and the data rate is above this threshold, full protection        is no longer possible. In this case, the integrity protection        scheme needs to be changed from full protection to some other        scheme, such as switching to partial protection or no protection        at all.    -   Likewise, if the data rate goes down below the threshold, then        full integrity protection becomes possible again. In this case,        re-applying full integrity protection is beneficial to maximize        the level of protection.    -   The above points imply that there needs to be coordination        between the UE and the network, and between Network Elements        (NE) to signal and coordinate the integrity protection to be        used for the UE.    -   The above point implies that a mechanism is needed to:        1. Determine the threshold for a given UE.        2. Monitor the data rate of the UE.        3. Determine the integrity protection scheme to be used for a        given UE based on the detected data rate against the threshold.        4. Switch the integrity protection scheme based on the above        decision.        5. Coordination among UE, RAN node, and CN to conduct the        integrity protection scheme change.

There are some prior arts in [1], [2], and [3] in which the concept of“partial integrity protection” is introduced. However, they do notdefine a mechanism to handle the above 3 points.

SUMMARY OF INVENTION Technical Problem

Based on the discussion above, we can state the problem as follows:

UE is known to have hardware limitation in terms of data rate (b/s)where integrity protection of the entire PDCP PDU payload can be done.When the data rate exceeds this threshold, either the integrityprotection needs to be turned off or partial protection needs to beemployed where only a subset of the PDCP payload is integrity protected.This implies that there needs to be a mechanism in place to: 1)determine the threshold for a given UE, 2) measure and determine thedata rate, and 3) switch the integrity protection scheme.

There are prior arts where this partial integrity protection is done.However, they do not describe a mechanism to support these statedfunctionalities.

Solution to Problem

According to an aspect of the present disclosure, a user equipment (UE),includes: a memory configured to store instructions; and a processorconfigured to execute the instructions to: receive, from a networkdevice, user plane data having integrity protection; send an errorindication indicating an integrity protection error relating to the userplane data; and receive retransmitted user plane data from the networkdevice with a reduced data rate, based on the error indication.

According to another aspect of the present disclosure, a methodincludes: receiving, by a user equipment and from a network device, userplane data having integrity protection; sending, by the UE, an errorindication indicating an integrity protection error relating to the userplane data; and receiving, by the UE, retransmitted user plane data fromthe network device with a reduced data rate, based on the errorindication.

According to another aspect of the present disclosure, a network deviceincludes: a memory configured to store instructions; and a processorconfigured to execute the instructions to: send, to a user equipment(UE), user plane data having integrity protection; receive an errorindication indicating an integrity protection error relating to the userplane data; and send, to the UE, retransmitted user plane data with areduced data rate, based on the error indication.

According to another aspect of the present disclosure, a methodincludes: sending, by a network device and to a user equipment (UE),user plane data having integrity protection; receiving, by the networkdevice, an error indication indicating an integrity protection errorrelating to the user plane data; and sending, by the network device andto the UE, retransmitted user plane data with a reduced data rate, basedon the error indication.

Advantageous Effects of Invention

With the above configurations, the present disclosure can provide theUE, the network device, the method that solves the problem as mentionedabove.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 shows an example of determination of UE's supported data rate.

FIG. 2 shows an example of determination of UE's supported data rate.

FIG. 3 illustrates several possible procedures for the UE to indicateits capability or rule indication to the RAN and/or CN.

FIG. 4 illustrates several possible procedures for the RAN node toindicate its rule to the UE.

FIG. 5 shows an example of RAN's indication on integrity protectionscheme.

FIG. 6 illustrates the procedures for the CN to indicate its rule to theRAN node.

FIG. 7 illustrates the procedures for the end-to-end integrityprotection rule.

FIG. 8 describes the procedure in the transmitting side.

FIG. 9 illustrates one example of the use of reserved bits.

FIG. 10 describes the procedure in the receiving side.

FIG. 11 shows the general components of the User Equipment.

FIG. 12 shows the general components of the base station.

FIG. 13 shows the general components of the network element.

FIG. 14 schematically illustrates a mobile telecommunication system towhich the above embodiments are applicable.

FIG. 15 is a block diagram illustrating, in more detail, the maincomponents of the UE shown in FIGS. 11 and 14.

FIG. 16 is a block diagram illustrating, in more detail, the maincomponents of an exemplary (R)AN node shown in FIGS. 12 and 14.

FIG. 17 is a block diagram illustrating, in more detail, the maincomponents of a generic core network node shown in FIGS. 13 and 14.

DESCRIPTION OF EMBODIMENTS First Embodiment—Determination of UE'sCapability on Full Integrity Protection Variant 1:

This variant describes the mechanism in which the network determines theUE's capability with respect to the data rate the UE 300 can supportfull integrity protection. In this variant, the DL UP data rateadjustment (throttling) is done at the RAN node 500. Once the RAN node500 determines the UE's capability with respect to the DL UP data ratefor which it can perform full integrity protection, this capabilityinformation for this UE 300 is shared with the CN 700.

The steps are described as follows:

1. Connection is established between the UE 300 and the CN 700.2. DL UP traffic (e.g., web browsing) is being sent from the CN 700 tothe UE 300 via RAN node 500 with full integrity protection.3. The UE 300 does the integrity protection check on all receivedpackets.4. If the UE 300 is not able to process all integrity protection checkin all received packets in the ongoing data rate, the UE 300 indicatesthat the UE 300 is not able to process integrity protection for all DLUP packets (error indication) to the RAN node 500, by AS signaling, forexample.5. Upon receiving the indication from the UE 300 for not being able toprocess integrity protection for all DL UP packets, the RAN node 500adjusts the data rate of the DL UP traffic. In some aspects, the RANnode 500 throttles down the data rate of the DL UP traffic using amethod such as a predetermined value or other heuristic mechanism.6. The RAN node 500 re-transmits the DL UP packets to the UE 300 withthe reduced DL data rate and with full integrity protection.7. (optional) If necessary, steps 3 through 6 are repeated withadditional reduction of the DL UP data rate.8. Due to the reduction in the data rate, the UE 300 can successfullyexecute the integrity protection for all DL UP packets.9. (optional) The UE 300 indicates to the RAN node 500 that the UE 300can successfully execute the integrity protection for all DL UP packets,by AS signaling, for example. Alternatively, the UE 300 does not sendany indication to the RAN node 500, in case the absence of errorindication from the UE 300 implies successful handling of integrityprotection checking in the UE 300 of all DL UP packets.10. The RAN node 500 stores the last adjusted DL UP data rate for whichthe UE 300 successfully executed the integrity protection of all DL UPpackets.

Alternate Procedure 1:

11. The RAN node 500 indicates the UE's capability information to the CN700.

Alternate Procedure 2:

11. The CN 700 queries the RAN node 500 for the UE's capabilityinformation.12. The RAN node 500 responds with the UE's capability information tothe CN 700.13. The CN 700 stores the UE's capability information.

Variant 2:

This variant describes the mechanism in which the network determines theUE's capability with respect to the data rate the UE 300 can supportfull integrity protection. In this variant, the DL UP data rateadjustment (throttling) is done at the CN 700. Once the CN 700determines the UE's capability with respect to the DL UP data rate forwhich it can perform full integrity protection, this capabilityinformation for this UE 300 is shared with the RAN node 500.

The steps are described as follows:

1. Connection is established between the UE 300 and the CN 700.2. DL UP traffic (e.g., web browsing) is being sent from the CN 700 tothe UE 300 via RAN node 500 with full integrity protection.3. The UE 300 does the integrity protection check on all receivedpackets.4. If the UE 300 is not able to process all integrity protection checkin all received packets in the ongoing data rate, the UE 300 indicatesthat the UE 300 is not able to process integrity protection for all DLUP packets (error indication) to the CN 700, by AS signaling, forexample.5. Upon receiving the indication from the UE 300 for not being able toprocess integrity protection for all DL UP packets, the CN 700 adjuststhe data rate of the DL UP traffic. In some aspects, the RAN node 500throttles down the data rate of the DL UP traffic using a method such asa predetermined value or other heuristic mechanism.6. The CN 700 re-transmits the DL UP packets to the UE 300 with thereduced DL data rate and with full integrity protection.7. (optional) If necessary, steps 3 through 6 are repeated withadditional reduction of the DL UP data rate.8. Due to the reduction in the data rate, the UE 300 can successfullyexecute the integrity protection for all DL UP packets.9. (optional) The UE 300 indicates to the CN 700 that the UE 300 cansuccessfully execute the integrity protection for all DL UP packets, byAS signaling, for example. Alternatively, the UE 300 does not send anyindication to the CN 700, in case the absence of error indication fromthe UE 300 implies successful handling of integrity protection checkingin the UE 300 of all DL UP packets.10. The CN 700 stores the last adjusted DL UP data rate for which the UE300 successfully executed the integrity protection of all DL UP packets.

Alternate Procedure 1:

11. The CN 700 indicates the UE's capability information to the RAN node500.

Alternate Procedure 2:

11. The RAN node 500 queries the CN 700 for the UE's capabilityinformation.12. The CN 700 responds with the UE's capability information to the RANnode.13. The RAN node stores the UE's capability information.

Advantages of this variant are summarized as follows:

-   -   The network (RAN 500 and CN 700) can automatically determine the        UE's capability in terms of the maximum data rate for which the        UE 300 can process the full integrity protection.    -   An explicit indication by the UE 300 to the RAN 500 and CN 700        with respect to its capability (e.g., maximum data rate for        which full integrity protection is possible) is not necessary.    -   This variant works for all UEs irrespective of its indication to        the network with respect to the UE's capability of the maximum        data rate for which the UE 300 can process the full integrity        protection.    -   The above procedure is required only once per UE 300 because the        maximum data rate for which full integrity protection is        possible is hardware-bound limitation. Therefore, once this        value is known for a given UE 300, it does not change.    -   In case a user changes a UE hardware, the above procedure can        simply be repeated for the network to obtain the new capability        information.

Second Embodiment—Control of the Integrity Protection Scheme Selection

This embodiment describes the mechanisms of how the integrity protectionbetween the UE 300 and the RAN node 500 is controlled.

There can be multiple different approaches to achieve the similar endresult.

Variant 1:

In this variant, the UE 300 indicates its capability or rule (or itspreference) in terms of the use of integrity protection, and the networkdetermines the integrity protection mechanism accordingly under variousconditions.

In one example, the UE 300 indicates its preference of the use ofintegrity protection under different conditions. This is illustrated inTable 2.

TABLE 2 UE's capability (or preference) on integrity protection schemeCondition UE's capability (or preference) 1) metric value < threshold AFull integrity protection 2) Threshold A <= metric Full integrityprotection or Partial value < threshold B integrity protection 3)Threshold B <= metric Partial integrity protection value

In Table 2, “threshold A” and “threshold B” indicate a certain conditionfor which the UE 300 is under. In one example, the threshold canindicate data rate, such as specific to DL traffic, specific to ULtraffic, or both DL and UL traffic. In another example, these thresholdscan represent metric other than data rate, such as UE device type, typeof services the UE uses, etc.

The following description is based on the data rate being used as thethreshold.

Condition 1 indicates the data rate is below a certain threshold forwhich the UE 300 can perform full integrity protection on all UPtraffic. Condition 2 indicates the data rate is in the “border linezone” where the full integrity protection on all UP traffic may not bepossible. Under this condition, the UE 300 uses either full or partialintegrity protection depending on factors such as the actual trafficrate at the time of transmission or reception, etc. Condition 3indicates the data rate is above the threshold where the UE 300 can nolonger perform full integrity protection on all UP traffic.

In one example, there can be only one threshold or multiple thresholdsbeing indicated by the UE 300 (2 thresholds shown in the example inTable 2).

Threshold A and threshold B in this indication can be determined by theUE 300 or pre-configured in the UE 300 and the network.

The UE 300 indicates this information to the network (RAN 500 and/or CN700) so that the network side becomes aware of the UE's capability orrule in terms of the data rate it can perform for full integrityprotection.

FIG. 3 illustrates several possible procedures for the UE 300 toindicate its capability or rule indication to the RAN 500 and/or CN 700.

In alternate procedure 1, the UE 300 sends the UE capability indicationto the RAN node 500, and the RAN node 500 optionally forwards thisinformation to the CN 700. In alternate procedure 2, the UE 300 sendsthe UE capability indication to the CN 700, and the CN 700 optionallyforwards this information to the RAN node 500. In alternate procedure 3,the UE 300 sends the UE capability indication to both RAN node 500 andthe CN 700. The UE 300 and the RAN node 500 execute the UP traffictransfer using the integrity protection rule provided by the UE 300.

Advantages of this variant are summarized as follows:

-   -   The network (RAN node 500 and/or CN 700) can know the UE's        capability as directly informed by the UE 300 itself.    -   This scheme is beneficial for determining the integrity        protection scheme in the RAN node 500 or CN 700 for DL UP        traffic.

Variant 2:

In this variant, the RAN node 500 indicates its rule (or preference) tothe UE 300 for the integrity protection rule. The integrity protectionrule consists of similar type of information as described in variant 1in the preceding section. But instead of this information being sent bythe UE 300, in this variant, the RAN node 500 provides the rule to theUE 300.

In this example, the integrity protection rule can be represented inTable 3.

TABLE 3 RAN node's rule (or preference) on integrity protection schemeCondition RAN node's rule (or preference) 1) metric value < threshold AFull integrity protection 2) Threshold A <= metric Full integrityprotection or Partial value < threshold B integrity protection 3)Threshold B <= metric Partial integrity protection value

In Table 3, “threshold A” and “threshold B” indicate a certain conditionfor which the UE 300 is under. In one example, the threshold canindicate data rate, such as specific to DL traffic, specific to ULtraffic, or both DL and UL traffic. In another example, these thresholdscan represent some other metric other than data rate.

The following description is based on the data rate being used as thethreshold.

Condition 1 indicates the data rate is below a certain threshold forwhich the UE 300 is requested to perform full integrity protection onall UP traffic. Condition 2 indicates the data rate is in the “borderline zone” where the full integrity protection on all UP traffic may notbe possible. Under this condition, the RAN node 500 uses either full orpartial integrity protection depending on factors such as the actualtraffic rate at the time of transmission or reception, etc. Condition 3indicates the data rate is above the threshold where the UE 300 is nolonger requested to perform full integrity protection on all UP traffic.

In one example, there can be only one threshold or multiple thresholdsbeing indicated by the RAN node 500 (2 thresholds shown in the examplein Table 3).

Threshold A and threshold B in this indication can be determined by theRAN node 500 or pre-configured in the UE 300 and the RAN node 500.

The RAN node 500 indicates this rule to the UE 300 so that the UE 300becomes aware of the integrity protection scheme to be used based on thedefined thresholds.

FIG. 4 illustrates several possible procedures for the RAN node 500 toindicate its rule (or preference) to the UE 300.

The steps are described as follows:

1. The RAN node 500 determines the integrity protection rule.2. The RAN node 500 informs the rule to the UE 300, by sending ASmessage including the integrity protection rule, for example.3. (optional) the UE 300 responds to the RAN node 500 to indicatewhether it agrees with the rule or not by sending AS message, forexample. In one example, no response indicates that UE 300 agrees withthe provided rule.4. (optional) if necessary, the steps 1 through 3 are repeated by theRAN node 500 by adjusting the integrity protection rule until the UE 300indicates its agreement.5. (optional) the RAN node 500 informs to the CN 700 regarding theintegrity protection rule with the UE 300.6. The UE 300 and the RAN node 500 execute the UP traffic transfer usingthe integrity protection rule provided by the RAN node 500.

Advantages of this variant are summarized as follows:

-   -   The UE 300 can become aware of the integrity protection scheme        the RAN node 500 expects from the UE 300 (UL UP traffic).    -   The UE 300 can become aware of the integrity protection scheme        the RAN node 500 uses to the UE 300 (DL UP traffic).    -   This scheme is beneficial to determine the integrity protection        scheme in the UE 300 for UL UP traffic.

Variant 3:

In this variant, the procedures described in variants 1 and 2 arecombined so that both the UE 300 and the RAN node 500 exchangecapability and rule (and preference) to negotiate and reach agreementbetween them with respect to the integrity protection rule to be usedbetween the UE 300 and the RAN node 500.

FIG. 5 illustrates this procedure.

The steps are described as follows:

1. The UE 300 sends its capability of the integrity protection for theUP traffic.2. The RAN node 500 indicates its rule (or preference) for the integrityprotection for the UP traffic.3. Based on the information exchanged in step 1 and 2, both sides reachagreement in the rule for the integrity protection.4. The UE 300 and the RAN node 500 execute the UP traffic transfer usingthe integrity protection rule established in step 3.

Advantages of this variant are summarized as follows:

-   -   Both the UE 300 and the RAN node 500 can reach the informed        decision to establish the rule for integrity protection for the        UP traffic.

Variant 4:

In this variant, the CN 700 indicates the rule (or preference) to theRAN node 500 for the integrity protection rule. The integrity protectionrule consists of similar type of information as described in variant 1in the preceding section. But instead of this information being sent bythe UE 300, in this variant, the CN 700 provides the rule to the RANnode 500.

In this example, the integrity protection rule can be represented inTable 4.

TABLE 4 CN's rule (or preference) on integrity protection schemeCondition CN's rule (or preference) 1) metric value < threshold A Fullintegrity protection 2) Threshold A <= metric Full integrity protectionor Partial value < threshold B integrity protection 3) Threshold B <=metric value Partial integrity protection

In Table 4, “threshold A” and “threshold B” indicate a certain conditionfor which the UE 300 is under. In one example, the threshold canindicate data rate, such as specific to DL traffic, specific to ULtraffic, or both DL and UL traffic. In another example, these thresholdscan represent some other metric other than data rate.

The following description is based on the data rate being used as thethreshold.

Condition 1 indicates the data rate is below a certain threshold forwhich the RAN node 500 is requested to perform full integrity protectionon all UP traffic between the UE 300 and the RAN node 500. Condition 2indicates the data rate is in the “border line zone” where the fullintegrity protection on all UP traffic may not be possible. Under thiscondition, the CN 700 requests the RAN node 500 to use either full orpartial integrity protection depending on factors such as the actualtraffic rate at the time of transmission or reception, etc. Condition 3indicates the data rate is above the threshold where the RAN node 500 isno longer requested to perform full integrity protection on all UPtraffic between the UE 300 and the RAN node 500.

In one example, there can be only one threshold or multiple thresholdsbeing indicated by the CN 700 (2 thresholds shown in the example inTable 4).

Threshold A and threshold B in this indication can be determined by theCN 700 or pre-configured in the CN 700.

The CN 700 indicates this rule to the RAN node 500 so that the RAN node500 becomes aware of the integrity protection scheme to be used betweenthe UE 300 and the RAN node 500 based on the defined thresholds.

FIG. 6 illustrates the procedures for the CN 700 to indicate its rule(or preference) to the RAN node 500.

The steps are described as follows:

1. The CN 700 determines the integrity protection rule.2. The CN 700 informs the rule to the RAN node 500.3. (optional) the UE 300 responds to the RAN node 500 to indicate thatthe RAN node 500 has accepted the rule from the CN 700. In one example,no response indicates that RAN node 500 agrees with the provided rule.4. The UE 300 and the RAN node 500 execute the UP traffic transfer usingthe integrity protection rule provided by the CN 700.

Advantages of this variant are summarized as follows:

-   -   The CN 700 can set the rule of the integrity protection scheme        the RAN node 500 to use in the UP traffic flow between the UE        300 and the RAN node 500.    -   The RAN node 500 can become aware of the integrity protection        scheme the CN 700 expects to use between the UE 300 and the RAN        node 500.

Variant 5:

In this variant, the previously described variants are combined toestablish end-to-end integrity protection rule to be used between the UE300 and the RAN node 500.

In one example, the CN 700 first notifies the rule (or preference) tothe RAN node 500. Then based on the rule provided by the CN 700, the RANnode 500 and the UE 300 establish the integrity protection rule for theUP traffic.

In one example, the integrity protection rule provided by the CN 700 tothe RAN node 500 is considered as a guideline for the RAN node 500 totake into account upon negotiating the rule between the UE 300 and theRAN node 500. In another example, the integrity protection rule providedby the CN 700 to the RAN node 500 is considered as a mandatory rule forthe RAN node 500 and the UE 300 to use; in this case, the negotiationstep between the UE 300 and the RAN node 500 is skipped. In this sense,the negotiation step between the UE 300 and the RAN node 500 isoptional.

FIG. 7 illustrates the procedures for the end-to-end integrityprotection rule.

The steps are described as follows:

1. The CN 700 and the RAN node 500 establish the integrity protectionrule to be used between the UE 300 and the RAN node 500. This is basedon variant 4 described in the earlier section.2. (optional) based on the rule established in step 1 above, the UE 300and the RAN node 500 establish the integrity protection rule to be usedbetween the UE 300 and the RAN node 500. This is based on either variant3 described in the earlier section. This step is skipped if the ruleprovided by the CN 700 in step 1 is indicated as a mandatory for the RANnode 500 to follow.3. The UE 300 and the RAN node 500 execute the UP traffic transfer usingthe integrity protection rule established in step 1 and 2.

Advantages of this variant are summarized as follows:

-   -   All entities including the UE 300, the RAN node 500, and the CN        700 establish the integrity protection rule based on information        exchanged and negotiation between them.    -   The CN 700 can instruct the RAN node 500 with either 1) the        mandatory rule or 2) guideline for the integrity protection to        be applied for the RAN node 500 to use.

Third Embodiment—Dynamically Controlling the Integrity ProtectionMechanism Based on the Measured Value Against the Threshold

This embodiment describes the mechanism in which the transmitter sidedetermines the integrity protection scheme to be used based on a givencondition.

The transmitting side refers to either the UE 300 or the RAN node 500depending on the direction of the UP traffic—the UE 300 for the ULtraffic, and the RAN node 500 for DL traffic.

The following description is based on the data rate being used as thethreshold. However, other criteria are not excluded.

FIG. 8 describes the procedure in the transmitting side.

When traffic to be sent is passed from the upper layer in thetransmitting side (Step 11), the transmitter side checks the ongoingdata rate for the DRB for the UE 300 (Step 12). Based on the measureddata rate, the transmitter determines which integrity protection scheme(full or partial) or no protection is applied to the outgoing traffic(step 13). Depending on this selection, the transmitter applies theselected integrity protection scheme to the outgoing traffic (Step 14 orStep 15) and transmits it to the receiving side (Step 16).

In one example, the transmitter side periodically or continuouslymonitors the data rate. This information collected over a period of timegives indication of the trend in the dynamic change in the data rate.This monitored data can be saved for a certain period and used foranalysis of the traffic trend. Older ones may be replaced by the newlycollected data. This information further can be used as a basis todetermine the hysteresis upon determining whether a threshold is crossedor not. Use of hysteresis reduces the potential frequent changes in theuse of integrity protection or change between the period of integrityprotection and the period without integrity protection.

In one example, the transmitter side monitors more than one DRB for agiven UE 300. In case a UE 300 has multiple DRBs being usedsimultaneously, the aggregate data rate for all DRBs may be used todetermine the threshold where the integrity protection scheme ischanged, turned on or off.

In one example, if the data rate crosses the threshold that wasestablished in the rule using any of the mechanism variants described insuction 2.2, the transmitter side adjusts the integrity protectionscheme to match the corresponding criteria in the rule. In other words,if the data rate crosses the determined threshold as defined in theestablished rule being used, then the transmitter may apply differentintegrity protection to the UP traffic. For example, depending on theestablished rule, if the data rate goes above the threshold, then theintegrity protection may change from full to partial. Likewise, if thedata rate goes down below the threshold, then the integrity protectionmay change from partial to full. This is depending on the establishedrule and threshold value.

In one example, information on which type of integrity protection isapplied in a given packet can be indicated at the PDCP PDU level. Inparticular, one or more reserve bit in the PDCP header can be used toindicate whether the PDCP PDU contains whether full or partial integrityprotection is used in the PDU. Using this information, receiving sideknows which integrity protection scheme (or no integrity protection) isused in the PDCP PDU.

One example of the use of reserved bits is shown in FIG. 9. Otherdefinitions to convey the same information are possible and are notexcluded.

FIG. 10 describes the procedure in the receiving side.

In one example, the lower layer indicates the arrival of incoming packet(Step 21). The receiving side determines the type of integrityprotection used in the received PDCP PDU based on the indication asdescribed above in FIG. 9 as an example (Step 22). The receiver check ifintegrity protection is applied to the received PDU or not, and if so,whether it is a full integrity protection or partial integrityprotection (Step 23). Depending on the checking in Step 23, the receiververifies the integrity of the received PDU using either full integrityprotection (Step 24) or partial integrity protection (Step 25). Thereceiver checks if the integrity check is successful or not (Step 26).If it is successful, then the received PDU is passed to the upper layerfor further processing (Step 27). If it is a failure, then the receivedPDU is discarded, and optionally, an error indication is sent to thetransmitter side (Step 28).

The receiving side refers to either the UE 300 or the RAN node 500depending on the direction of the UP traffic—the UE 300 for the DLtraffic, and the RAN node 500 for UL traffic.

In one example, the receiver side determines the type of integrityprotection used in the received PDCP PDU based on the informationindicated in the PDCP header as described in FIG. 9.

In another example, the receiver side determines the type of integrityprotection used in the received PDCP PDU based on its own measurement ofthe ongoing data rate.

Fourth Embodiment—Method in Mobility, Handover and Interworking BetweenDifferent Systems

In various intra-system and inter-system mobility scenarios involvingmultiple systems such as 5GS and EPS, capabilities and usage of the UE'sintegrity protection mechanisms described in this disclosure areverified by the network nodes such as eNB, MME, gNB and AMF in thesource or the target system before deciding to accept or reject themobility request, e.g., handover request or TAU update request. Therelevant mobility scenarios include interworking between differentsystems, e.g., between EPS and 5GS in either direction. If the integrityprotection capabilities or the mechanism used by the UE 300 are notsupported by the target nodes in the target system, the handover or TAUprocedure in the target system is either rejected or accepted withchanges in UE's integrity protection mechanisms to conform to thesupported integrity protection functionalities in the target system.

The UE's integrity protection capabilities or mechanisms that areverified in these inter-system mobility scenarios include the value orrange of the parameters or conditions used for the integrity protectionschemes described in this disclosure. For the scenario of interworkingbetween EPS and 5GS systems, mapping of the security capabilities isnecessary in order to maintain the same integrity protection mechanismbeing used for the UE 300, or to derive the alternate integrityprotection mechanism for the UE 300 in the target system. If thefunctionalities in this disclosure are supported in the 5GS system butnot in EPS system, then the mapped capabilities to the EPS system isapplied to determine whether integrity protection is used for the UE 300or not as the UE 300 moves to the target system.

Further, as per the relevant 3GPP specification, use of integrityprotection for UP data traffic is not used in EPS system and is optionalin 5GS system. However it may be used for security reasons. If integrityprotection for UP data is required but it's not used or not supported inthe target system, then the UE's mobility to the target system is eitherrejected or the integrity protection mechanism is changed to allow theUE's mobility to the target system.

In one example, mobility to the target system is allowed if the UE 300accepts the change in integrity protection mechanism supported in thetarget system. The decision in the UE 300 is determined by factors suchas the type of service or services the UE 300 is using at the time ofthe mobility event and their sensitivity of the information or type ofcommunication.

For example, different type of services is characterized by differentlevel of sensitivity in such a way that integrity protection may or maynot be needed. If the UE 300 is using the type of services which doesnot strictly require the use of integrity protection or reduction orloss of integrity protection is tolerable to the UE 300, then themobility to the target system is allowed.

In another example, the mobility to the target system is denied if theUE 300 does not accept, or not able to cope with, the change in theintegrity protection mechanism supported in the target system as theresult of the mobility event. One scenario is where, as the result ofthe mobility even to the target system, the UE 300 has to incur eitherloss or reduction in the level of integrity protection for the type ofservice it uses.

General Description of the Embodiments

The general description of the disclosure is described below.

FIG. 11 shows the general components of the User Equipment (UE 300). Itconsists of memory unit, application processor unit, baseband processorunit, and RF transceiver unit.

RF transceiver is configured to transmit packet in uplink or receivepacket in downlink, and does the radio layer processing such asmodulation, de-modulation, radio transmission, reception, etc.

Baseband processor unit is configured to handle physical layerprocessing such as configuration, allocation, management, and usage ofradio resources, such as physical channels, logical channels, andtransport channels.

Application processor unit is configured to process communicationprotocol stack, CP signaling, UP traffic handling, application layermessage handling, configuration management, fault management, etc.

Memory unit is configured to store information for the UE 300.

FIG. 12 shows the general components of the base station. Base stationis a generic terminology to refer to the RAN infrastructure and hasspecific terminology for different generation of mobile systems. Forexample, it is called gNB in 5G system and eNB in 4G (LTE) system. Itconsists of memory unit, application processor unit, baseband processorunit, and RF transceiver unit.

FIG. 13 shows the general components of the network element, such as AMFin the 5G Core Network (CN 700). It consists of memory unit, processingunit, and communication unit.

The description in this disclosure is in the context of a 5G system.However, it is possible to apply the same methods to any other systemssuch as 4G (LTE/LTE-Advanced) systems and/or the like.

Beneficially, the above described exemplary embodiments include,although they are not limited to, one or more of the followingfunctionalities:

First Embodiment

1) The RAN node/CN can determine the maximum data rate for which the UEcan perform full integrity protection for the UP traffic.2) No explicit capability indication from the UE is necessary.3) Can handle all 3GPP release UEs (irrespective of whether or not theUE supports capability indication of the maximum data rate support forfull integrity protection).

Second Embodiment

1) The UE and RAN node can determine the integrity protection rule forUP traffic based on one or more information: 1) UE indication, 2) RANnode indication, 3) CN node indication, 4) combination of multipleindications.2) The RAN node can determine the integrity protection rule based on theUE's capability.3) The RAN node can instruct the integrity protection rule to the UEbased on either: 1) RAN node's own rule (or preference) or CN's rule (orpreference).4) The UE and the RAN node can negotiate and agree on the integrityprotection rule by exchanging capability and rule (or preference).5) The CN can instruct the integrity protection rule to the RAN nodebased on its own rule (or preference).6) The UE, the RAN node, and the CN can collectively negotiate and agreeon the integrity protection rule by exchanging capability and rule (orpreference).

Third Embodiment

1) The transmitting side (either the RAN node for DL or the UE for UL)can dynamically determine the type of integrity protection scheme to beused in the PDCP PDU based on the determined criteria.2) The transmitter side (either the RAN node for DL or the UE for UL)can change the integrity protection scheme dynamically based on the ruleand threshold.3) The transmitting side (either the RAN node for DL or the UE for UL)can indicate the type of integrity protection used in the PDCP PDU.4) The receiving side can apply the correct integrity protection checkto the received PDCP PDU.

The above embodiments describe exemplary methods comprising (at leastsome of) the steps of:

First Embodiment

1) The CN transmit DL UP traffic to the UE with full integrityprotection.2) The UE responds to the RAN node or CN if the UE is not able toprocess full integrity protection to all received DL UP traffic.3) The RAN node or the CN adjusts the DL UP traffic data rate.4) The UE determines it can process full integrity protection to allreceived DL UP traffic.5) The RAN node or the CN stores the data rate for which the UE is ableto process full integrity protection to all received DL UP traffic.

Second Embodiment Variant 1:

1) The UE indicates it integrity protection capability or rule (orpreference) to the RAN node or CN.2) The RAN node or the CN uses the received capability information todetermine the threshold to determine the integrity protection rule.

Variant 2:

1) The RAN node indicates its integrity protection rule (or preference)to the UE.2) The UE uses the received rule (or preference) upon transmitting orreceiving the UP traffic.

Variant 3:

1) The UE and the RAN node exchange the integrity protection capabilityor rule with each other.2) The UE and the RAN node agrees on the integrity protection rule to beused.

Variant 4:

1) The CN indicates its integrity protection rule (or preference) to theRAN node.2) The RAN node uses the received rule (or preference) upon transmittingor receiving the UP traffic to the UE.

Variant 5:

1) The CN and the RAN node determine the integrity protection rule.2) The RAN node and UE determine the integrity protection rule.3) The UE, RAN node, and the CN transmits or receives the UP traffic.

Third Embodiment

1) The transmitter side (either UE or the RAN node depending on thetraffic direction) determines which integrity protection scheme to beused or no integrity protection at all, upon transmitting the UP trafficbased on the rule.2) The transmitter side indicates the type of integrity protection usedor not integrity protection at all in the PDCP header.3) The receive side applies the appropriate integrity protection checkto the received PDCP PDU.

Benefits

The RAN node or CN can determine the maximum data rate for which the UEcan process full integrity protection without explicit indication fromthe UE itself based on the empirical information driven from the courseor normal UP traffic handling.

The UE, the RAN node, and the CN can determine the integrity protectionrule based on threshold values (e.g., data rate).

The transmitting side (either the RAN node for DL or the UE for UL) candynamically determine or change the integrity protection used in thePDCP PDU based on a set of criteria (threshold).

The transmitting side (either the RAN node for DL or the UE for UL) canindicate the type of integrity protection used in the PDCP PDU.

System Overview

FIG. 14 schematically illustrates a mobile (cellular or wireless)telecommunication system 1 to which the above embodiments (and variantsthereof) are applicable.

In this network, users of mobile devices 3 (UEs) can communicate witheach other and other users via respective base stations 5 and a corenetwork 7 using an appropriate 3GPP radio access technology (RAT), forexample, an E-UTRA and/or 5G RAT. It will be appreciated that a numberof base stations 5 form a (radio) access network or (R)AN. As thoseskilled in the art will appreciate, whilst one mobile device 3 and onebase station 5 are shown in FIG. 8 for illustration purposes, thesystem, when implemented, will typically include other base stations andmobile devices (UEs).

Each base station 5 controls one or more associated cells (eitherdirectly or via other nodes such as home base stations, relays, remoteradio heads, distributed units, and/or the like). A base station 5 thatsupports E-UTRA/4G protocols may be referred to as an ‘eNB’ and a basestation 5 that supports Next Generation/5G protocols may be referred toas a ‘gNBs’. It will be appreciated that some base stations 5 may beconfigured to support both 4G and 5G, and/or any other 3GPP or non-3GPPcommunication protocols.

The mobile device 3 and its serving base station 5 are connected via anappropriate air interface (for example the so-called ‘Uu’ interfaceand/or the like). Neighbouring base stations 5 are connected to eachother via an appropriate base station to base station interface (such asthe so-called ‘X2’ interface, ‘Xn’ interface and/or the like). The basestation 5 is also connected to the core network nodes via an appropriateinterface (such as the so-called ‘S1’, ‘N1’, ‘N2’, ‘N3’ interface,and/or the like).

The core network 7 typically includes logical nodes (or ‘functions’) forsupporting communication in the telecommunication system 1. Typically,for example, the core network 7 of a ‘Next Generation’/5G system willinclude, amongst other functions, control plane functions (CPFs) 10 anduser plane functions (UPFs) 11. From the core network 7, connection toan external IP network 20 (such as the Internet) is also provided.

The components of this system 1 are configured to perform the abovedescribed exemplary embodiments.

User Equipment (UE)

FIG. 15 is a block diagram illustrating, in more detail, the maincomponents of the UE (mobile device 3) shown in FIGS. 11 and 14. Asshown, the UE 3 includes a transceiver circuit 31 which is operable totransmit signals to and to receive signals from the connected node(s)via one or more antenna 33. Although not necessarily shown, the UE willof course have all the usual functionality of a conventional mobiledevice (such as a user interface 35) and this may be provided by any oneor any combination of hardware, software and firmware, as appropriate. Acontroller 37 controls the operation of the UE in accordance withsoftware stored in a memory 39. The software may be pre-installed in thememory 39 and/or may be downloaded via the telecommunication network 1or from a removable data storage device (RMD), for example. The softwareincludes, among other things, an operating system 41 and acommunications control module 43. The communications control module 43is responsible for handling (generating/sending/receiving) signallingmessages and uplink/downlink data packets between the UE 3 and othernodes, including (R)AN nodes 5 and core network nodes.

(R)AN Node

FIG. 16 is a block diagram illustrating, in more detail, the maincomponents of an exemplary (R)AN node 5 (base station) shown in FIGS. 12and 14. As shown, the (R)AN node 5 includes a transceiver circuit 51which is operable to transmit signals to and to receive signals fromconnected UE(s) 3 via one or more antenna 53 and to transmit signals toand to receive signals from other network nodes (either directly orindirectly) via a network interface 55. The network interface 55typically includes an appropriate base station—base station interface(such as X2/Xn) and an appropriate base station—core network interface(such as S1/N1/N2/N3). A controller 57 controls the operation of the(R)AN node 5 in accordance with software stored in a memory 59. Thesoftware may be pre-installed in the memory 59 and/or may be downloadedvia the telecommunication network 1 or from a removable data storagedevice (RMD), for example. The software includes, among other things, anoperating system 61 and a communications control module 63. Thecommunications control module 63 is responsible for handling(generating/sending/receiving) signalling between the (R)AN node 5 andother nodes, such as the UE 3 and the core network nodes/network elements.

Core Network Node

FIG. 17 is a block diagram illustrating, in more detail, the maincomponents of a generic core network node (network element or function)shown in FIGS. 13 and 14. As shown, the core network node includes atransceiver circuit 71 which is operable to transmit signals to and toreceive signals from other nodes (including the UE 3 and the (R)AN node5) via a network interface 75. A controller 77 controls the operation ofthe core network node in accordance with software stored in a memory 79.The software may be pre-installed in the memory 79 and/or may bedownloaded via the telecommunication network 1 or from a removable datastorage device (RMD), for example. The software includes, among otherthings, an operating system 81 and at least a communications controlmodule 83. The communications control module 83 is responsible forhandling (generating/sending/receiving) signaling between the corenetwork node and other nodes, such as the UE 3, (R)AN node 5, and othercore network nodes. Such signaling includes appropriately formattedrequests and responses (PDUs) in accordance with one of the abovedescribed embodiments.

Modifications and Alternatives

Detailed embodiments have been described above. As those skilled in theart will appreciate, a number of modifications and alternatives can bemade to the above embodiments whilst still benefiting from thedisclosures embodied therein. By way of illustration only a number ofthese alternatives and modifications will now be described.

In the above description, the UE, the (R)AN node, and the core networknode are described for ease of understanding as having a number ofdiscrete modules (such as the communication control modules). Whilstthese modules may be provided in this way for certain applications, forexample where an existing system has been modified to implement thedisclosure, in other applications, for example in systems designed withthe inventive features in mind from the outset, these modules may bebuilt into the overall operating system or code and so these modules maynot be discernible as discrete entities. These modules may also beimplemented in software, hardware, firmware or a mix of these.

Each controller may comprise any suitable form of processing circuitryincluding (but not limited to), for example: one or more hardwareimplemented computer processors; microprocessors; central processingunits (CPUs); arithmetic logic units (ALUs); input/output (TO) circuits;internal memories/caches (program and/or data); processing registers;communication buses (e.g. control, data and/or address buses); directmemory access (DMA) functions; hardware or software implementedcounters, pointers and/or timers; and/or the like.

In the above embodiments, a number of software modules were described.As those skilled in the art will appreciate, the software modules may beprovided in compiled or un-compiled form and may be supplied to the UE,the (R)AN node, and the core network node as a signal over a computernetwork, or on a recording medium. Further, the functionality performedby part or all of this software may be performed using one or morededicated hardware circuits. However, the use of software modules ispreferred as it facilitates the updating of the UE, the (R)AN node, andthe core network node in order to update their functionalities.

The above embodiments are also applicable to ‘non-mobile’ or generallystationary user equipment.

Various other modifications will be apparent to those skilled in the artand will not be described in further detail here.

CITATION LIST Non Patent Literature

-   [NPL 1] NEC-Japan invention disclosure, “Integrity protection for    user plane data in 5G network” (filing #5050000034), February 2018-   [NPL 2] NEC-Japan invention disclosure, “Efficient integrity    protection”, filing#5050000050, September 2018-   [NPL 3] Lenovo, Motorola Mobility, S3-182942, “Achieving higher data    rates for UP IP”, 3GPP SA3 #92bis, September 2018-   [NPL 4] 3GPP RAN2, S3-181650 (R2-1804056), “UE capability related to    integrity protection of DRBs”, 3GPP SA3 #91, May 2018-   [NPL 5] 3GPP TS 23.501 V15.3.0, “System Architecture for the 5G    System”-   [NPL 6] 3GPP TS 23.502 V15.3.0, “Procedures for the 5G System”-   [NPL 7] 3GPP TS 33.501 V15.2.0, “Security architecture and    procedures for 5G System”-   [NPL 8] 3GPP TS 38.323 V15.3.0, “Packet Data Convergence Protocol”

Abbreviations 2G 2nd Generation 3G 3rd Generation 3GPP 3rd GenerationPartnership Project 4G 4th Generation 5G 5th Generation 5G CN 5G CoreNetwork

AMF Access and Mobility management Function

AN Access Network AS Access Stratum CN Core Network CP Control Plane DLDownLink DRB Data Radio Bearer gNB Next-generation NodeB LTE Long TermEvolution MAC-I Message Authentication Code-Integrity MD Message DigestNAS Non-Access Stratum NE Network Element NG Next Generation (i.e., 5G)PDCP Packet Data Convergence Protocol PDU Protocol Data Unit RAN RadioAccess Network RB Radio Bearer SHA Security Hash Algorithm SN SequenceNumber SRB Signaling Radio Bearer TAU Tracking Area Update TS TechnicalSpecification UE User Equipment UL UpLink UP User Plane

Although the present disclosure has been described above with referenceto some aspects, the present disclosure is not limited to the aspects.The configurations and details of the present disclosure can be changedin various manners that can be understood by one skilled in the artwithin the scope of the present disclosure.

This application is based upon and claims the benefit of priority fromEuropean patent application No. 18204190.5, filed on Nov. 2, 2018, thedisclosure of which is incorporated herein in its entirely by reference.

REFERENCE SIGNS LIST

-   1 telecommunication system-   3 mobile device-   31 transceiver circuit-   33 antenna-   35 user interface-   37 controller-   39 memory-   41 operating system-   43 communications control module-   300 UE-   301 memory unit-   302 application processor unit-   303 baseband processor unit-   304 RF transceiver-   5 base station-   51 transceiver circuit-   53 antenna-   55 network interface-   57 controller-   59 memory-   61 operating system-   63 communications control module-   500 RAN-   510 base station-   511 memory unit-   512 application processor unit-   513 baseband processor unit-   514 RF transceiver-   7 core network-   71 transceiver circuit-   75 network interface-   77 controller-   79 memory-   81 operating system-   83 communications control module-   700 CN-   710 network equipment-   711 memory unit-   712 processing unit-   713 communication unit-   10 CPF-   11 UPF-   20 external IP network

What is claimed is:
 1. A user equipment (UE), comprising: a memoryconfigured to store instructions; and a processor configured to executethe instructions to: receive, from a network device, user plane datahaving integrity protection, send an error indication indicating anintegrity protection error relating to the user plane data, and receiveretransmitted user plane data from the network device with a reduceddata rate, based on the error indication. 2.-3. (canceled)
 4. The UE ofclaim 1, wherein the integrity protection error corresponds to a failureof the UE in performing an integrity protection check on the user planedata. 5.-7. (canceled)
 8. The UE of claim 1, wherein the integrityprotection error relates to capability information of the UE.
 9. The UEof claim 1, wherein the processor is further configured to execute theinstruction to: send a success indication indicating an integrityprotection success corresponding to a success of the UE in performing anintegrity protection check on the retransmitted user plane data.
 10. TheUE of claim 1, wherein the processor is further configured to executethe instructions to: send a success indication indicating an integrityprotection success corresponding to a success of the UE in performing anintegrity protection check on the retransmitted user plane data, whereinthe integrity protection error corresponds to a failure of the UE inperforming an integrity protection check on the user plane data.
 11. Amethod comprising: receiving, by a user equipment (UE) and from anetwork device, user plane data having integrity protection; sending, bythe UE, an error indication indicating an integrity protection errorrelating to the user plane data; and receiving, by the UE, retransmitteduser plane data from the network device with a reduced data rate, basedon the error indication. 12.-13. (canceled)
 14. The method of claim 11,wherein the integrity protection error corresponds to a failure of theUE in performing an integrity protection check on the user plane data.15.-17. (canceled)
 18. The method of claim 11, wherein the integrityprotection error relates to capability information of the UE.
 19. Themethod of claim 11, further comprising: sending, by the UE, a successindication indicating an integrity protection success corresponding to asuccess of the UE in performing an integrity protection check on theretransmitted user plane data.
 20. The method of claim 11, furthercomprising: sending, by the UE, a success indication indicating anintegrity protection success corresponding to a success of the UE inperforming an integrity protection check on the retransmitted user planedata, wherein the integrity protection error relates to capabilityinformation of the UE. 21.-30. (canceled)
 31. A method comprising:sending, by a network device and to a user equipment (UE), user planedata having integrity protection; receiving, by the network device, anerror indication indicating an integrity protection error relating tothe user plane data; and sending, by the network device and to the UE,retransmitted user plane data with a reduced data rate, based on theerror indication. 32.-33. (canceled)
 34. The method of claim 31, whereinthe integrity protection error corresponds to a failure of the UE inperforming an integrity protection check on the user plane data.
 38. Themethod of claim 31, wherein the integrity protection error relates tocapability information of the UE.
 39. The method of claim 31, furthercomprising: receiving a success indication indicating an integrityprotection success corresponding to a success of the UE in performing anintegrity protection check on the retransmitted user plane data.
 40. Themethod of claim 31, further comprising: receiving a success indicationindicating an integrity protection success corresponding to a success ofthe UE in performing an integrity protection check on the retransmitteduser plane data, wherein the integrity protection error relates tocapability information of the UE.
 41. The UE of claim 1, wherein theintegrity protection error corresponds to a failure of the UE inperforming an integrity protection check on the user plane data andrelates to capability information of the UE.
 42. The method of claim 11,wherein the integrity protection error corresponds to a failure of theUE in performing an integrity protection check on the user plane dataand relates to capability information of the UE.
 43. The method of claim11 further comprising: sending, by the UE, a success indicationindicating an integrity protection success corresponding to a success ofthe UE in performing an integrity protection check on the retransmitteduser plane data, wherein the integrity protection error corresponds to afailure of the UE in performing an integrity protection check on theuser plane data.
 44. The method of claim 31, wherein the integrityprotection error corresponds to a failure of the UE in performing anintegrity protection check on the user plane data and relates tocapability information of the UE.
 45. The method of claim 31 furthercomprising: receiving a success indication indicating an integrityprotection success corresponding to a success of the UE in performing anintegrity protection check on the retransmitted user plane data, whereinthe integrity protection error corresponds to a failure of the UE inperforming an integrity protection check on the user plane data.